Thank you for reading this post, don't forget to subscribe!
https://github.com/cetic/helm-nifi
kubectl create namespace nifi
git clone https://github.com/cetic/helm-nifi.git
cd nifi
helm repo update
helm dep up
cd ../charts
tar -xvf nifi-registry-0.1.1.tgz
tar -xvf zookeeper-5.23.0.tgz
rm -rf nifi-registry-0.1.1.tgz zookeeper-5.23.0.tgz
cd ../
правим values:
vim values.yaml
1 2 3 4 5 6 7 8 9 |
storageClass: managed-nfs-storage ingress: enabled: true annotations: {} tls: [] hosts: [nifi.test.ru] path: / |
полностью файл выглядит следующим образом:
cat values.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 |
--- # Number of nifi nodes replicaCount: 1 ## Set default image, imageTag, and imagePullPolicy. ## ref: https://hub.docker.com/r/apache/nifi/ ## image: repository: apache/nifi tag: "1.12.1" pullPolicy: IfNotPresent ## Optionally specify an imagePullSecret. ## Secret must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecret: myRegistrKeySecretName securityContext: runAsUser: 1000 fsGroup: 1000 sts: # Parallel podManagementPolicy for faster bootstrap and teardown. Default is OrderedReady. podManagementPolicy: Parallel AntiAffinity: soft hostPort: null pod: annotations: security.alpha.kubernetes.io/sysctls: net.ipv4.ip_local_port_range=10000 65000 #prometheus.io/scrape: "true" serviceAccount: create: false #name: nifi ## Useful if using any custom secrets ## Pass in some secrets to use (if required) # secrets: # - name: myNifiSecret # keys: # - key1 # - key2 # mountPath: /opt/nifi/secret ## Useful if using any custom configmaps ## Pass in some configmaps to use (if required) # configmaps: # - name: myNifiConf # keys: # - myconf.conf # mountPath: /opt/nifi/custom-config properties: # use externalSecure for when inbound SSL is provided by nginx-ingress or other external mechanism externalSecure: false isNode: true # set to false if ldap is enabled httpPort: 8080 # set to null if ldap is enabled httpsPort: null # set to 9443 if ldap is enabled webProxyHost: clusterPort: 6007 clusterSecure: false # set to true if ldap is enabled needClientAuth: false provenanceStorage: "8 GB" siteToSite: port: 10000 authorizer: managed-authorizer # use properties.safetyValve to pass explicit 'key: value' pairs that overwrite other configuration safetyValve: #nifi.variable.registry.properties: "${NIFI_HOME}/example1.properties, ${NIFI_HOME}/example2.properties" nifi.web.http.network.interface.default: eth0 # listen to loopback interface so "kubectl port-forward …" works nifi.web.http.network.interface.lo: lo ## Include aditional processors # customLibPath: "/opt/configuration_resources/custom_lib" ## Include additional libraries in the Nifi containers by using the postStart handler ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ # postStart: /opt/nifi/psql; wget -P /opt/nifi/psql https://jdbc.postgresql.org/download/postgresql-42.2.6.jar # Nifi User Authentication auth: admin: CN=admin, OU=NIFI SSL: keystorePasswd: env:PASS truststorePasswd: env:PASS ldap: enabled: false host: ldap://<hostname>:<port> searchBase: CN=Users,DC=example,DC=com admin: cn=admin,dc=example,dc=be pass: password searchFilter: (objectClass=*) userIdentityAttribute: cn authStrategy: SIMPLE # How the connection to the LDAP server is authenticated. Possible values are ANONYMOUS, SIMPLE, LDAPS, or START_TLS. identityStrategy: USE_DN authExpiration: 12 hours oidc: enabled: false discoveryUrl: clientId: clientSecret: claimIdentifyingUser: email ## Request additional scopes, for example profile additionalScopes: ## Expose the nifi service to be accessed from outside the cluster (LoadBalancer service). ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. ## ref: http://kubernetes.io/docs/user-guide/services/ ## # headless service headless: type: ClusterIP annotations: service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" # ui service service: type: LoadBalancer httpPort: 8080 httpsPort: 9443 nodePort: 30236 annotations: {} # loadBalancerIP: ## Load Balancer sources ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## # loadBalancerSourceRanges: # - 10.10.10.0/24 ## OIDC authentication requires "sticky" session on the LoadBalancer for JWT to work properly…but AWS doesn't like it on creation # sessionAffinity: ClientIP # sessionAffinityConfig: # clientIP: # timeoutSeconds: 10800 # Enables additional port/ports to nifi service for internal processors processors: enabled: false ports: - name: processor01 port: 7001 targetPort: 7001 #nodePort: 30701 - name: processor02 port: 7002 targetPort: 7002 #nodePort: 30702 ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: enabled: true annotations: {} tls: [] hosts: [nifi.test.local] path: / # If you want to change the default path, see this issue https://github.com/cetic/helm-nifi/issues/22 # Amount of memory to give the NiFi java heap jvmMemory: 2g # Separate image for tailing each log separately and checking zookeeper connectivity sidecar: image: busybox tag: "1.32.0" ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## persistence: enabled: false # When creating persistent storage, the NiFi helm chart can either reference an already-defined # storage class by name, such as "standard" or can define a custom storage class by specifying # customStorageClass: true and providing the "storageClass", "storageProvisioner" and "storageType". # For example, to use SSD storage on Google Compute Engine see values-gcp.yaml # # To use a storage class that already exists on the Kubernetes cluster, we can simply reference it by name. # For example: storageClass: nfs-storageclass # # The default storage class is used if this variable is not set. accessModes: [ReadWriteOnce] ## Storage Capacities for persistent volumes configStorage: size: 100Mi authconfStorage: size: 100Mi # Storage capacity for the 'data' directory, which is used to hold things such as the flow.xml.gz, configuration, state, etc. dataStorage: size: 1Gi # Storage capacity for the FlowFile repository flowfileRepoStorage: size: 10Gi # Storage capacity for the Content repository contentRepoStorage: size: 10Gi # Storage capacity for the Provenance repository. When changing this, one should also change the properties.provenanceStorage value above, also. provenanceRepoStorage: size: 10Gi # Storage capacity for nifi logs logStorage: size: 5Gi ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi logresources: requests: cpu: 10m memory: 10Mi limits: cpu: 50m memory: 50Mi nodeSelector: {} tolerations: [] # - key: node.kubernetes.io/disk-pressure # effect: NoSchedule initContainers: {} # foo-init: # <- will be used as container name # image: "busybox:1.30.1" # imagePullPolicy: "IfNotPresent" # command: ['sh', '-c', 'echo this is an initContainer'] # volumeMounts: # - mountPath: /tmp/foo # name: foo extraVolumeMounts: [] extraVolumes: [] ## Extra containers extraContainers: [] terminationGracePeriodSeconds: 30 ## Extra environment variables that will be pass onto deployment pods env: [] ## Extra environment variables from secrets and config maps envFrom: [] # envFrom: # - configMapRef: # name: config-name # - secretRef: # name: mysecret ## Openshift support ## Use the following varables in order to enable Route and Security Context Constraint creation openshift: scc: enabled: false route: enabled: false #host: www.test.com #path: /nifi # ca server details # Setting this true would create a nifi-toolkit based ca server # The ca server will be used to generate self-signed certificates required setting up secured cluster ca: ## If true, enable the nifi-toolkit certificate authority enabled: false persistence: enabled: true server: "" service: port: 9090 token: sixteenCharacters admin: cn: admin serviceAccount: create: false #name: nifi-ca openshift: scc: enabled: false # ------------------------------------------------------------------------------ # Zookeeper: # ------------------------------------------------------------------------------ zookeeper: ## If true, install the Zookeeper chart ## ref: https://github.com/bitnami/charts/blob/master/bitnami/zookeeper/values.yaml enabled: true ## If the Zookeeper Chart is disabled a URL and port are required to connect url: "" port: 2181 replicaCount: 3 # podAntiAffinityPreset: soft # ------------------------------------------------------------------------------ # Nifi registry: # ------------------------------------------------------------------------------ registry: ## If true, install the Nifi registry enabled: true url: "" port: 80 ## Add values for the nifi-registry here ## ref: https://github.com/dysnix/charts/blob/master/nifi-registry/values.yaml |
далее правим файл:
vim nifi/charts/nifi-registry/values.yaml
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
persistence: enabled: true database: storageClass: "managed-nfs-storage" accessMode: ReadWriteOnce size: 1Gi flowStorage: storageClass: "managed-nfs-storage" accessMode: ReadWriteOnce size: 1Gi service: type: ClusterIP httpPort: 8080 httpsPort: 9443 nodePort: 30236 annotations: {} |
vim nifi/charts/zookeeper/values.yaml
1 2 3 4 5 6 7 8 9 |
persistence: enabled: true storageClass: "managed-nfs-storage" accessModes: - ReadWriteOnce size: 3Gi annotations: {} dataLogDir: size: 3Gi |
vim helm-nifi/charts/zookeeper/values.yaml
!!! если имя нашего кластера clusterDomain отличается от cluster.local то его надо поменять и в переменных:
посмотреть имя кластера можно командой:
kubectl config view
1 2 3 4 5 6 7 8 9 10 11 12 |
clusterDomain: test.local persistence: enabled: true storageClass: "nfs-storageclass" accessModes: - ReadWriteOnce size: 8Gi annotations: {} dataLogDir: size: 8Gi |
после того как меняем имя кластера то далее необходимо поправить и внутри темлейтов для этого заходим в нашу директорию хельм чарта и рекурсивно ищем:
grep -rli cluster.local .
по всем найденным путям надо поправить cluster.local на наше имя test.local
vim helm-nifi/charts/nifi-registry/values.yaml
1 2 3 4 5 6 7 8 9 10 11 |
persistence: enabled: true database: storageClass: "nfs-storageclass" accessMode: ReadWriteOnce size: 1Gi flowStorage: storageClass: "nfs-storageclass" accessMode: ReadWriteOnce size: 1Gi |
Для работы в кластере 2 экземпляров nifi необходимо поправить template/statefulset.yml - найден официально зарегистрированный баг.
https://github.com/cetic/helm-nifi/issues/115
Удаляем 193 строку
{{- if .Values.auth.oidc.enabled }}
И 221
{{- end }}
https://github.com/cetic/helm-nifi/blob/0.6.0/templates/statefulset.yaml - здесь этот баг устранен
после этого можно уже запускать
helm install my-nifi --namespace nifi helm-nifi/ --values helm-nifi/values.yaml
В целом чистая ETL NIFI готова к работе, но у нас есть необходимость перенести текущие настройки NIFI(включая Process Group, библиотеки для подключения к базам данным, данные для авторизации и т.д.).
Так как процедура разовая, было принято решение перенести необходимые файлы на уже созданные PVC в нужную директорию.
Переносили следующий список файлов:
authorizers.xml
flow.xml.gz
logback.xml
login-identity-providers.xml
state-management.xml
Переносили так:
kubectl cp conf/state-management.xml nifi/my-nifi-1:/opt/nifi/nifi-current/conf/state-management.xml
!!!! Копируем их на каждый экземпляр nifi. Не смотря на возникающие ошибки при копировании типа:
Defaulting container name to server.
tar: state-management.xml: Cannot open: File exists
tar: Exiting with failure status due to previous errors
command terminated with exit code 2
Необходимые файлы копируются.
!!!!!! Нельзя затрагивать файлы, они отвечают за сам кластер:
bootstrap-notification-services.xml
bootstrap.conf
nifi.properties
zookeeper.properties